Skip to content

chore: scaffold initial rust workspace#1

Merged
paolodamico merged 4 commits into
mainfrom
takis/initial-rust-workspace
Jul 14, 2026
Merged

chore: scaffold initial rust workspace#1
paolodamico merged 4 commits into
mainfrom
takis/initial-rust-workspace

Conversation

@Takaros999

Copy link
Copy Markdown
Contributor

This PR sets up the initial Rust workspace for the embedding verifier.

  • adds api and secure-enclave crates on Rust 1.97.0
  • implements the Axum /health route with environment state and endpoint coverage
  • adds formatting, linting, build, test, and cargo-deny CI checks

@socket-security

socket-security Bot commented Jul 12, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: cargo hyper-util is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?cargo/axum@0.8.9cargo/hyper-util@0.1.20

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/hyper-util@0.1.20. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: cargo libc is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?cargo/tokio@1.52.3cargo/libc@0.2.186

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/libc@0.2.186. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: cargo tokio is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: api/Cargo.tomlcargo/tokio@1.52.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/tokio@1.52.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: cargo unicode-ident under Unicode-3.0

License: Unicode-3.0 - The applicable license policy does not permit this license (5) (unicode-ident-1.0.24/LICENSE-UNICODE)

From: ?cargo/tracing@0.1.44cargo/axum@0.8.9cargo/tokio@1.52.3cargo/unicode-ident@1.0.24

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/unicode-ident@1.0.24. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Comment thread .github/workflows/ci.yml Fixed
Comment thread .github/workflows/ci.yml Fixed
Comment thread .github/workflows/ci.yml Fixed
Comment thread .github/workflows/ci.yml Fixed
@Takaros999 Takaros999 changed the title chore: scaffold initial rust workspace chore(hello-world): scaffold initial rust workspace Jul 12, 2026
@Takaros999
Takaros999 marked this pull request as ready for review July 12, 2026 01:34
@semgrep-code-worldcoin

Copy link
Copy Markdown

Semgrep found 8 third-party-action-not-pinned-to-commit-sha findings:

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

Semgrep found 13 github-actions-mutable-action-tag findings:

GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 210a3c9c75

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/ci.yml
components: clippy
- uses: Swatinem/rust-cache@v2
- name: Run Clippy
run: cargo clippy --locked --all-targets --all-features --

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Make the lint job pass on the scaffold

This CI step currently exits non-zero because the API crate denies the full clippy::pedantic/clippy::nursery groups and the newly added code already trips denied lints, e.g. api/src/routes/health.rs::handler is async without any .await (unused_async) and api/src/routes/mod.rs::handler returns a value without #[must_use] (must_use_candidate). Since this job runs on every PR and push to main, the scaffold cannot get a green CI run until those lints are fixed or explicitly allowed.

Useful? React with 👍 / 👎.

Comment thread rustfmt.toml Outdated
@paolodamico paolodamico changed the title chore(hello-world): scaffold initial rust workspace chore: scaffold initial rust workspace Jul 14, 2026
Comment thread Cargo.toml
version = "0.1.0"
license = "MIT"
publish = false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit. let's set up linting rules globally for the workspace

Comment thread README.md
└── secure-enclave/ # Secure enclave process
```

## Development

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd drop this section, not super helpful

Comment thread README.md
cargo test --all
```

For private repository access, install and authenticate the GitHub CLI using its

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is relevant right now?

Comment thread README.md
For private repository access, install and authenticate the GitHub CLI using its
[official RPM instructions](https://github.com/cli/cli/blob/trunk/docs/install_linux.md#dnf4).

Optionally install Codex for development on the remote host:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd also drop this, or just keep a generic you can install an agent tool like Codex or Claude in the remote host

Comment thread Cargo.toml

[workspace.package]
edition = "2024"
rust-version = "1.97.0"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's not repeat with the rust-toolchain?

Comment thread .github/workflows/ci.yml
name: Format
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please use explicit hashes for the workflow versions

Comment thread .github/workflows/ci.yml
with:
components: rustfmt
- name: Check formatting
run: cargo fmt --all -- --check

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit. I'd run format and lint on the same one

Comment thread .github/workflows/ci.yml
- uses: Swatinem/rust-cache@v2
- name: Build debug
run: cargo build --locked --verbose
- name: Build release

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure building debug and release is adding much, I'd just build release, the debug version is implicitly built for tests

Comment thread .github/workflows/ci.yml
- uses: EmbarkStudios/cargo-deny-action@v2
with:
command: check ${{ matrix.checks }}
rust-version: 1.97.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd drop this to avoid having another source of truth for rust version

@paolodamico
paolodamico merged commit 3d149bb into main Jul 14, 2026
11 checks passed
@paolodamico
paolodamico deleted the takis/initial-rust-workspace branch July 14, 2026 19:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants